This commit addresses this need by changing the DAG to use a new Verify-PowerShellScipts task, rather than the Sign-PowerShellScripts task. The latter is still available to call directly, when required, but only when a valid certificate is in place.
Supporting parameters and build directories have been created, to allow control over what the tasks due, including the ability to skip the verification step, using the --shouldVerifyPowerShellScripts command line argument.
A new verify-powershell.ps1 file has been added to check the list of incoming files, and the sign-powershell.ps1 has been updated to only sign when the current signature is invalid. To aid with getting the signed files added to back into the repository, the signed files are uploaded as artifacts of the build.
Motivation and Context
We don't want to sign files when we don't need to. Going forward, PowerShell scripts are going to be signed when they are committed to the repository and only re-signed when required.
Testing
This will be a tricky one to test 😢
This will need to be tested in conjunction with this PR, and also in conjunction with a new build configuration for calling the updated Sign-PowerShellScripts task.
Happy to jump on a quick call to discuss further.
Operating Systems Testing
N/A
Change Types Made
[ ] Bug fix (non-breaking change).
[x] Feature / Enhancement (non-breaking change).
[ ] Breaking change (fix or feature that could cause existing functionality to change).
Description Of Changes
This commit addresses this need by changing the DAG to use a new Verify-PowerShellScipts task, rather than the Sign-PowerShellScripts task. The latter is still available to call directly, when required, but only when a valid certificate is in place.
Supporting parameters and build directories have been created, to allow control over what the tasks due, including the ability to skip the verification step, using the --shouldVerifyPowerShellScripts command line argument.
A new verify-powershell.ps1 file has been added to check the list of incoming files, and the sign-powershell.ps1 has been updated to only sign when the current signature is invalid. To aid with getting the signed files added to back into the repository, the signed files are uploaded as artifacts of the build.
Motivation and Context
We don't want to sign files when we don't need to. Going forward, PowerShell scripts are going to be signed when they are committed to the repository and only re-signed when required.
Testing
This will be a tricky one to test 😢
This will need to be tested in conjunction with this PR, and also in conjunction with a new build configuration for calling the updated Sign-PowerShellScripts task.
Happy to jump on a quick call to discuss further.
Operating Systems Testing
N/A
Change Types Made
Change Checklist
Related Issue
Fixes #149